vcloud-edge_gateway 0.0.1

data/.gitignore

@@ -0,0 +1,16 @@
+*.gem
+*.rbc
+*.swp
+*.un~
+vcloud_env.sh
+replace_variables.sh
+/.bundle/
+/.ruby-version
+/Gemfile.lock
+/bundle/
+/pkg/
+vendor/
+coverage/
+results.html
+fog_integration_test.config
+.idea

data/Gemfile

@@ -0,0 +1,9 @@
+source 'http://rubygems.org'
+
+gemspec
+
+if ENV['VCLOUD_CORE_DEV_MASTER']
+  gem 'vcloud-core', :git => 'git@github.com:alphagov/vcloud-core.git', :branch => 'master'
+elsif ENV['VCLOUD_CORE_DEV_LOCAL']
+  gem 'vcloud-core', :path => '../vcloud-core'
+end

data/LICENSE.txt

@@ -0,0 +1,20 @@
+The MIT License (MIT)
+
+Copyright (c) 2014 HM Government (Government Digital Service)
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the "Software"), to deal in
+the Software without restriction, including without limitation the rights to
+use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+the Software, and to permit persons to whom the Software is furnished to do so,
+subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,160 @@
+# vCloud Edge Gateway
+
+vCloud Edge Gateway is a tool that supports automated provisiong of a VMware vCloud Edge Gateway. It depends on [vCloud Core](https://github.com/alphagov/vcloud-core) and uses Fog under the hood.
+
+
+#Configure edge gateway services
+
+You can configure following services on an existing edgegateway using fog.
+- FirewallService
+- NatService
+- LoadBalancerService
+
+###How to configure:
+
+```ruby
+require 'fog'
+vcloud = Fog::Compute::VcloudDirector.new
+vcloud.post_configure_edge_gateway_services edge_gateway_id, configuration
+vcloud.process_task(task.body)
+```
+
+The Configuration contain definitions of any of the services listed.Details of service configurations may vary,
+but the mechanism is the same for updating any Edge Gateway service.<br/>You can include one or more services when you configure an Edge Gateway.
+
+###Examples:
+
+Service examples, to be used in place of the `configuration` object above.
+
+Firewall:
+```ruby
+configuration = {
+  :FirewallService => {
+    :IsEnabled => true,
+    :DefaultAction => 'allow',
+    :LogDefaultAction => false,
+    :FirewallRule => [
+      {
+        :Policy => 'allow',
+        :Description => 'description',
+        :Protocols => {:Tcp => true},
+        :Port => 22,
+        :DestinationPortRange => 22,
+        :DestinationIp => 'Internal',
+        :SourcePort => 22,
+        :SourceIp => 'External',
+        :SourcePortRange => '22'
+      }
+    ]
+  }
+}
+```
+
+Load balancer:
+```ruby
+configuration = {
+  :LoadBalancerService => {
+    :IsEnabled => "true",
+    :Pool => [
+      {
+        :Name => 'web-app',
+        :ServicePort => [
+          {
+            :IsEnabled => "true",
+            :Protocol => "HTTP",
+            :Algorithm => "ROUND_ROBIN",
+            :Port => 80,
+            :HealthCheckPort => 80,
+            :HealthCheck => {
+              :Mode => "HTTP", :HealthThreshold => 1, :UnhealthThreshold => 6, :Interval => 20, :Timeout => 25
+            }
+          },
+          {
+            :IsEnabled => true,
+            :Protocol => "HTTPS",
+            :Algorithm => "ROUND_ROBIN",
+            :Port => 443,
+            :HealthCheckPort => 443,
+            :HealthCheck => {
+              :Mode => "SSL", :HealthThreshold => 1, :UnhealthThreshold => 6, :Interval => 20, :Timeout => 25
+            }
+          }
+        ],
+        :Member => [
+          {
+            :IpAddress => "192.0.2.0",
+            :Weight => 1,
+            :ServicePort => [
+              {:Protocol => "HTTP", :Port => 80, :HealthCheckPort => 80}
+            ]
+          }
+        ]
+      }
+    ],
+    :VirtualServer => [
+      {
+        :IsEnabled => "true",
+        :Name => "app1",
+        :Description => "app1",
+        :Interface => {:name => "Default", :href => "https://vmware.api.net/api/admin/network/2ad93597-7b54-43dd-9eb1-631dd337e5a7"},
+        :IpAddress => '192.0.2.0',
+        :ServiceProfile => [
+          {:IsEnabled => "true", :Protocol => "HTTP", :Port => 80, :Persistence => {:Method => ""}},
+          {:IsEnabled => "true", :Protocol => "HTTPS", :Port => 443, :Persistence => {:Method => ""}}
+        ],
+        :Logging => false,
+        :Pool => 'web-app'
+      }
+    ]
+  }
+}
+```
+
+Nat:
+```ruby
+configuration = {
+  :NatService => {
+    :IsEnabled => true,
+    :nat_type => 'ipTranslation',
+    :Policy => 'allowTrafficIn',
+    :NatRule => [
+      {
+        :Description => 'a snat rule',
+        :RuleType => 'SNAT',
+        :IsEnabled => true,
+        :Id => '65538',
+        :GatewayNatRule => {
+          :Interface => {
+            :name => 'nft00001',
+            :href => 'https://vmware.api.net/api/admin/network/44265cc3-6d63-4ea9-ac72-4905b5aa6111'
+            },
+          :OriginalIp => "192.0.2.0",
+          :TranslatedIp => "203.0.113.10"
+        }
+      },
+      {
+        :Description => 'a dnat rule',
+        :RuleType => 'DNAT',
+        :IsEnabled => true,
+        :Id => '65539',
+        :GatewayNatRule =>
+        {
+          :Interface => {
+            :name => 'nft00001',
+            :href => 'https://vmware.api.net/api/admin/network/44265cc3-6d63-4ea9-ac72-4905b5aa6111'
+           },
+          :Protocol => 'tcp',
+          :OriginalIp => "203.0.113.10",
+          :OriginalPort => 22,
+          :TranslatedIp => "192.0.2.0",
+          :TranslatedPort => 22
+        },
+      }
+    ]
+  }
+ }
+```
+
+###Debug
+
+Set environment variable DEBUG=true to see fog debug info.

data/Rakefile

@@ -0,0 +1,23 @@
+require 'bundler/gem_tasks'
+require 'rspec/core/rake_task'
+
+RSpec::Core::RakeTask.new(:spec) do |task|
+  # Set a bogus Fog credential, otherwise it's possible for the unit
+  # tests to accidentially run (and succeed against!) an actual
+  # environment, if Fog connection is not stubbed correctly.
+  ENV['FOG_CREDENTIAL'] = 'random_nonsense_owiejfoweijf'
+  ENV['COVERAGE'] = 'true'
+  task.pattern = FileList['spec/vcloud/**/*_spec.rb']
+end
+
+task :default => [:spec]
+
+RSpec::Core::RakeTask.new('integration') do |t|
+  t.pattern = FileList['spec/integration/**/*_spec.rb']
+end
+
+require "gem_publisher"
+task :publish_gem do |t|
+  gem = GemPublisher.publish_if_updated("vcloud-edge_gateway.gemspec", :rubygems)
+  puts "Published #{gem}" if gem
+end

data/bin/vcloud-edge

@@ -0,0 +1,12 @@
+#!/usr/bin/env ruby
+
+begin
+  require 'rubygems'
+  gem 'vcloud-edge_gateway'
+rescue LoadError
+end
+
+require 'vcloud/edge_gateway'
+
+print "Test message just to string this together"
+print "No CLI for vCloud Edge Gateway yet"

data/jenkins.sh

@@ -0,0 +1,11 @@
+#!/bin/bash -x
+set -e
+bundle install --path "${HOME}/bundles/${JOB_NAME}"
+bundle exec rake
+
+./scripts/generate_fog_conf_file.sh
+export FOG_RC=fog_integration_test.config
+bundle exec rake integration
+rm fog_integration_test.config
+
+bundle exec rake publish_gem

data/lib/vcloud/config_loader.rb

@@ -0,0 +1,27 @@
+require 'yaml'
+require 'json'
+
+module Vcloud
+  class ConfigLoader
+
+    def load_config(config_file, schema = nil)
+      input_config = YAML::load(File.open(config_file))
+
+      # There is no way in YAML or Ruby to symbolize keys in a hash
+      json_string = JSON.generate(input_config)
+      config = JSON.parse(json_string, :symbolize_names => true)
+
+      if schema
+        validation = ConfigValidator.validate(:base, config, schema)
+        unless validation.valid?
+          validation.errors.each do |error|
+            Vcloud::EdgeGateway.logger.fatal(error)
+          end
+          raise("Supplied configuration does not match supplied schema")
+        end
+      end
+      config
+    end
+
+  end 
+end

data/lib/vcloud/config_validator.rb

@@ -0,0 +1,207 @@
+require 'ipaddr'
+
+module Vcloud
+  class ConfigValidator
+
+    attr_reader :key, :data, :schema, :type, :errors
+
+    VALID_ALPHABETICAL_VALUES_FOR_IP_RANGE = %w(Any external internal)
+
+    def initialize(key, data, schema)
+      raise "Nil schema" unless schema
+      raise "Invalid schema" unless schema.key?(:type)
+      @type = schema[:type].to_s.downcase
+      @errors = []
+      @data   = data
+      @schema = schema
+      @key    = key
+      validate
+    end
+
+    def valid?
+      @errors.empty?
+    end
+
+    def self.validate(key, data, schema)
+      new(key, data, schema)
+    end
+
+    private
+
+    def validate
+      self.send("validate_#{type}".to_sym)
+    end
+
+    def validate_string
+      unless @data.is_a? String
+        errors << "#{key}: #{@data} is not a string"
+        return
+      end
+      return unless check_emptyness_ok
+      return unless check_matcher_matches
+    end
+
+    def validate_string_or_number
+      unless data.is_a?(String) || data.is_a?(Numeric)
+        @errors << "#{key}: #{@data} is not a string_or_number"
+        return
+      end
+    end
+
+    def validate_ip_address
+      unless data.is_a?(String)
+        @errors << "#{key}: #{@data} is not a valid ip_address"
+        return
+      end
+      @errors << "#{key}: #{@data} is not a valid ip_address" unless valid_ip_address?(data)
+    end
+
+    def validate_ip_address_range
+      unless data.is_a?(String)
+        @errors << "#{key}: #{@data} is not a valid IP address range. Valid values can be IP address, CIDR, IP range, 'Any','internal' and 'external'."
+        return
+      end
+      valid = valid_cidr_or_ip_address? || valid_alphabetical_ip_range? || valid_ip_range?
+      @errors << "#{key}: #{@data} is not a valid IP address range. Valid values can be IP address, CIDR, IP range, 'Any','internal' and 'external'." unless valid
+    end
+
+    def valid_cidr_or_ip_address?
+      begin
+        ip = IPAddr.new(data)
+        ip.ipv4?
+      rescue ArgumentError
+        false
+      end
+    end
+
+    def valid_alphabetical_ip_range?
+      VALID_ALPHABETICAL_VALUES_FOR_IP_RANGE.include?(data)
+    end
+
+    def valid_ip_address? ip_address
+      begin
+        #valid formats recognized by IPAddr are : “address”, “address/prefixlen” and “address/mask”.
+        # Attribute like member_ip in case of load-balancer is an "address"
+        # and we should not accept “address/prefixlen” and “address/mask” for such fields.
+        ip = IPAddr.new(ip_address)
+        ip.ipv4? && !ip_address.include?('/')
+      rescue ArgumentError
+        false
+      end
+    end
+
+    def valid_ip_range?
+      range_parts = data.split('-')
+      return false if range_parts.size != 2
+      start_address = range_parts.first
+      end_address = range_parts.last
+      valid_ip_address?(start_address) &&  valid_ip_address?(end_address) &&
+        valid_start_and_end_address_combination?(end_address, start_address)
+    end
+
+    def valid_start_and_end_address_combination?(end_address, start_address)
+      IPAddr.new(start_address) < IPAddr.new(end_address)
+    end
+
+    def validate_hash
+      unless data.is_a? Hash
+        @errors << "#{key}: is not a hash"
+        return
+      end
+      return unless check_emptyness_ok
+      check_for_unknown_parameters
+      if schema.key?(:internals)
+        internals = schema[:internals]
+        internals.each do |param_key,param_schema|
+          check_hash_parameter(param_key, param_schema)
+        end
+      end
+    end
+
+    def validate_array
+      unless data.is_a? Array
+        @errors << "#{key} is not an array"
+        return
+      end
+      return unless check_emptyness_ok
+      if schema.key?(:each_element_is)
+        element_schema = schema[:each_element_is]
+        data.each do |element|
+          sub_validator = ConfigValidator.validate(key, element, element_schema)
+          unless sub_validator.valid?
+            @errors = errors + sub_validator.errors
+          end
+        end
+      end
+    end
+
+    def validate_enum
+      unless (acceptable_values = schema[:acceptable_values]) && acceptable_values.is_a?(Array)
+        raise "Must set :acceptable_values for type 'enum'"
+      end
+      unless acceptable_values.include?(data)
+        acceptable_values_string = acceptable_values.collect {|v| "'#{v}'" }.join(', ')
+        @errors << "#{key}: #{@data} is not a valid value. Acceptable values are #{acceptable_values_string}."
+      end
+    end
+
+    def validate_boolean
+      unless [true, false].include?(data)
+        @errors << "#{key}: #{data} is not a valid boolean value."
+      end
+    end
+
+    def check_emptyness_ok
+      unless schema.key?(:allowed_empty) && schema[:allowed_empty]
+        if data.empty?
+          @errors << "#{key}: cannot be empty #{type}"
+          return false
+        end
+      end
+      true
+    end
+
+    def check_matcher_matches
+      return unless regex = schema[:matcher]
+      raise "#{key}: #{regex} is not a Regexp" unless regex.is_a? Regexp
+      unless data =~ regex
+        @errors << "#{key}: #{data} does not match"
+        return false
+      end
+      true
+    end
+
+    def check_hash_parameter(sub_key, sub_schema)
+      if sub_schema.key?(:required) && sub_schema[:required] == false
+        # short circuit out if we do not have the key, but it's not required.
+        return true unless data.key?(sub_key)
+      end
+      unless data.key?(sub_key)
+        @errors << "#{key}: missing '#{sub_key}' parameter"
+        return false
+      end
+      sub_validator = ConfigValidator.validate(
+        sub_key,
+        data[sub_key],
+        sub_schema
+      )
+      unless sub_validator.valid?
+        @errors = errors + sub_validator.errors
+      end
+    end
+
+    def check_for_unknown_parameters
+      unless internals = schema[:internals]
+        # if there are no parameters specified, then assume all are ok.
+        return true
+      end
+      if schema[:permit_unknown_parameters]
+        return true
+      end
+      data.keys.each do |k|
+        @errors << "#{key}: parameter '#{k}' is invalid" unless internals[k]
+      end
+    end
+
+  end
+end

data/lib/vcloud/edge_gateway/configuration_differ.rb

@@ -0,0 +1,17 @@
+module Vcloud
+  module EdgeGateway
+    class ConfigurationDiffer
+
+        def initialize local, remote
+          @local = local
+          @remote = remote
+        end
+
+        def diff
+          ( @local == @remote ) ? [] : HashDiff.diff(@local, @remote)
+        end
+
+    end
+  end
+
+end

data/lib/vcloud/edge_gateway/configuration_generator/firewall_service.rb

@@ -0,0 +1,63 @@
+module Vcloud
+  module EdgeGateway
+    module ConfigurationGenerator
+      class FirewallService
+
+        def generate_fog_config(input_config)
+          if input_config
+            firewall_service = {}
+            firewall_service[:IsEnabled] = input_config.key?(:enabled) ? input_config[:enabled].to_s : 'true'
+            firewall_service[:DefaultAction] = input_config.key?(:policy) ? input_config[:policy] : "drop"
+            firewall_service[:LogDefaultAction] = input_config.key?(:log_default_action) ? input_config[:log_default_action].to_s : 'false'
+            firewall_service[:FirewallRule] = populate_firewall_rules(input_config[:firewall_rules]) if input_config.key?(:firewall_rules)
+            firewall_service
+          end
+        end
+
+        private
+        def populate_firewall_rules rules
+          i = ID_RANGES::FIREWALL_SERVICE[:min]
+          rules.collect do |rule|
+            new_rule = {}
+            new_rule[:Id] = rule.key?(:id) ? rule[:id] : i.to_s
+            new_rule[:IsEnabled] = rule.key?(:enabled) ? rule[:enabled].to_s : 'true'
+            new_rule[:MatchOnTranslate] = rule.key?(:match_on_translate) ? rule[:match_on_translate].to_s : 'false'
+            new_rule[:Description] = rule.key?(:description) ? rule[:description] : ""
+            new_rule[:Policy] = rule.key?(:policy) ? rule[:policy] : "allow"
+            new_rule[:Protocols] = rule.key?(:protocols) ? handle_protocols(rule[:protocols]) : {Tcp: 'true'}
+            new_rule[:DestinationPortRange] = rule.key?(:destination_port_range) ? rule[:destination_port_range] : 'Any'
+            new_rule[:Port] = handle_vmware_port_deprecation_behaviour(rule[:destination_port_range])
+            new_rule[:DestinationIp] = rule[:destination_ip]
+            new_rule[:SourcePortRange] = rule.key?(:source_port_range) ? rule[:source_port_range] : 'Any'
+            new_rule[:SourcePort] = handle_vmware_port_deprecation_behaviour(rule[:source_port_range])
+            new_rule[:SourceIp] = rule[:source_ip]
+            new_rule[:EnableLogging] = rule.key?(:enable_logging) ? rule[:enable_logging].to_s : 'false'
+            i += 1
+            new_rule
+          end
+        end
+
+        def handle_vmware_port_deprecation_behaviour(port_spec)
+          (port_spec.to_s =~ /^\d+$/) ? port_spec.to_s : '-1'
+        end
+
+        def handle_protocols(protocols)
+          case protocols.downcase
+            when "tcp+udp"
+              {Tcp: 'true', Udp: 'true'}
+            when "udp"
+              {Udp: 'true'}
+            when "tcp"
+              {Tcp: 'true'}
+            when "icmp"
+              {Icmp: 'true'}
+            when "any"
+              {Tcp: 'true', Udp: 'true', Icmp: 'true'}
+          end
+        end
+
+      end
+    end
+
+  end
+end

data/lib/vcloud/edge_gateway/configuration_generator/id_ranges.rb

@@ -0,0 +1,10 @@
+module Vcloud
+  module EdgeGateway
+    module ConfigurationGenerator
+      module ID_RANGES
+        FIREWALL_SERVICE = {min: 1, max: 65536}
+        NAT_SERVICE = {min: 65537, max: 131072}
+      end
+    end
+  end
+end